diff options
| author | Matthew Somerville <matthew-github@dracos.co.uk> | 2019-04-24 19:02:49 +0100 |
|---|---|---|
| committer | Matthew Somerville <matthew-github@dracos.co.uk> | 2019-05-07 15:30:12 +0100 |
| commit | 8246580437ca944f361789dc72bf74b624f06c36 (patch) | |
| tree | 70497fd011275f3e4ee92140e7246767d9586782 /t/app/controller | |
| parent | 28d1bb38e430588f0c19b2366cc14d52e98b02d0 (diff) | |
Improve non_public photo handling.
Clear the photo cache if the non_public flag is switched on, do not
cache non_public or LOGIN_REQUIRED photos, remove non_public photos
from memcached recent lists, pass through any cookies on non_public
reports/updates, and check the non_public flag on photo lookup.
Diffstat (limited to 't/app/controller')
| -rw-r--r-- | t/app/controller/photo.t | 71 |
1 files changed, 70 insertions, 1 deletions
diff --git a/t/app/controller/photo.t b/t/app/controller/photo.t index 842daa0dc..e1bf35fcf 100644 --- a/t/app/controller/photo.t +++ b/t/app/controller/photo.t @@ -13,7 +13,7 @@ my $mech = FixMyStreet::TestMech->new; my $sample_file = path(__FILE__)->parent->child("sample.jpg"); ok $sample_file->exists, "sample file $sample_file exists"; -my $westminster = $mech->create_body_ok(2527, 'Liverpool City Council'); +my $body = $mech->create_body_ok(2527, 'Liverpool City Council'); subtest "Check multiple upload worked" => sub { $mech->get_ok('/around'); @@ -112,4 +112,73 @@ subtest "Check photo uploading URL and endpoints work" => sub { }; }; +subtest "Check no access to update photos on hidden reports" => sub { + my $UPLOAD_DIR = tempdir( CLEANUP => 1 ); + + my ($report) = $mech->create_problems_for_body(1, $body->id, 'Title'); + my $update = $mech->create_comment_for_problem($report, $report->user, $report->name, 'Text', $report->anonymous, 'confirmed', 'confirmed', { photo => $report->photo }); + + FixMyStreet::override_config { + PHOTO_STORAGE_BACKEND => 'FileSystem', + PHOTO_STORAGE_OPTIONS => { + UPLOAD_DIR => $UPLOAD_DIR, + }, + }, sub { + my $image_path = path('t/app/controller/sample.jpg'); + $image_path->copy( path($UPLOAD_DIR, '74e3362283b6ef0c48686fb0e161da4043bbcc97.jpeg') ); + + $mech->get_ok('/photo/c/' . $update->id . '.0.jpeg'); + + $report->update({ state => 'hidden' }); + $report->get_photoset->delete_cached(plus_updates => 1); + + my $res = $mech->get('/photo/c/' . $update->id . '.0.jpeg'); + is $res->code, 404, 'got 404'; + }; +}; + +subtest 'non_public photos only viewable by correct people' => sub { + my $UPLOAD_DIR = tempdir( CLEANUP => 1 ); + path(FixMyStreet->path_to('web/photo'))->remove_tree({ keep_root => 1 }); + + my ($report) = $mech->create_problems_for_body(1, $body->id, 'Title', { + non_public => 1, + }); + + FixMyStreet::override_config { + PHOTO_STORAGE_BACKEND => 'FileSystem', + PHOTO_STORAGE_OPTIONS => { + UPLOAD_DIR => $UPLOAD_DIR, + }, + }, sub { + my $image_path = path('t/app/controller/sample.jpg'); + $image_path->copy( path($UPLOAD_DIR, '74e3362283b6ef0c48686fb0e161da4043bbcc97.jpeg') ); + + $mech->log_out_ok; + my $i = '/photo/' . $report->id . '.0.jpeg'; + my $res = $mech->get($i); + is $res->code, 404, 'got 404'; + + $mech->log_in_ok('test@example.com'); + $i = '/photo/' . $report->id . '.0.jpeg'; + $mech->get_ok($i); + my $image_file = FixMyStreet->path_to("web$i"); + ok !-e $image_file, 'File not cached out'; + + my $user = $mech->log_in_ok('someoneelse@example.com'); + $i = '/photo/' . $report->id . '.0.jpeg'; + $res = $mech->get($i); + is $res->code, 404, 'got 404'; + + $user->update({ from_body => $body }); + $user->user_body_permissions->create({ body => $body, permission_type => 'report_inspect' }); + $i = '/photo/' . $report->id . '.0.jpeg'; + $mech->get_ok($i); + + $user->update({ from_body => undef, is_superuser => 1 }); + $i = '/photo/' . $report->id . '.0.jpeg'; + $mech->get_ok($i); + }; +}; + done_testing(); |